CloudTrust Protocol Information Overview (pdf) - Cloud Security ...

CloudTrust ProtocolOrientation and StatusJune 2011Ron KnodeCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 1

CloudTrust Protocol Orientation Topics• Why is it?• What is it?• CTP transfer to CSA• {Strong} connection to CloudAudit• Existing plans & strategies• Things for the CSA/CloudAudit to “resolve”• … other stuff …CloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 2

The Value Equation in the CloudSecurity Service + Transparency Service =Compliance & Trust VALUE Captured(delivering evidence-based confidence …with compliance-supporting data & artifacts)Source: CSCCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 3

The CTP Transfer• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)• Nonexclusive, no-cost, royalty-free license to make derivative works of/for theCTP• CSC representative as co-chair of CSA’s CTP Working Group• CSA to include an acknowledgement that CSC is the original developer of theCTP in any published materials (including electronic publication) that mentionthe CTP• Free, unrestricted use of CTP derivative works by CSCReferences1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270-digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 4

Research Conclusions SummaryInitial Results – August 2009• The desire to benefit from the elastic promise ofcloud processing is blocked for most enterpriseapplications because of security and privacyconcerns.• The re-introduction of transparency into the cloudis the single biggest action needed to create digitaltrust in a cloud and enable the capture ofenterprise-scale payoffs in cloud processing.• Even today there are ways to benefit from cloudprocessing while technologies and techniques todeliver digital trust in the cloud are evolving.• CSC has created a definition and an approach to"orchestrate" a trusted cloud and restore neededtransparency.• Resist the temptation to jump into even a socalled“secure” cloud just to save money.• Aim higher!• Jump into the right “trusted” cloud to create andcapture new enterprise value.www.csc.com/security/insights/32270-digital_trust_in_the_cloudOr atwww.csc.com/lefreportsCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 5

CloudTrust Protocol Revealed(Research extension detailing ‘what’ and ‘how’ – July 2010)• Transparency in the cloud is the key to capturingdigital trust payoffs for both cloud consumers andcloud providers.• The CloudTrust Protocol (CTP) offers anuncomplicated, natural way to request and receivefundamental information about essential elementsof transparency.• The reliable delivery of only a few elements oftransparency generate a lot of digital trust, andthat digital trust liberates cloud users to bringmore and more core enterprise services and datato cloud techniques.• Transparency-as-a-Service (TaaS) using the CTPprovides a flexible, uniform, and simple techniquefor reclaiming transparency into actual cloudarchitectures, configurations, services, and status… responding to both cloud user and cloudprovider needs.• Transparency protocols like the CTP must beaccompanied by corresponding concepts ofoperation and contractual conditions to becompletely effective.http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 6

CTP V2.0(next updates will be published through the Cloud Security Alliance)• Syntax• Semantics• Self-defined response(no insistence on orthodoxy)• Asset model• Scope of response• Implementation/deploymentoptions• ExtensionCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 7

A Complete Cloud Security Governance, Risk, andCompliance (GRC) StackCloudTrust Protocol (CTP) Included Within CSA GRC StackGovernment Specs Extensions Commercial???Deliver “continuousmonitoring” required byA&A methodologiesContinuous monitoring … witha purpose• Common technique and nomenclatureto request and receive evidence andaffirmation of controls from cloudproviders???Claims, offers, and the basisfor auditing service delivery• Common interface and namespace toautomate the Audit, Assertion,Assessment, and Assurance (A6) ofcloud environments• FedRAMP• DIACAP• Other C&A standardsPre-audit checklists andquestionnaires to inventorycontrols• Industry-accepted ways to documentwhat security controls existNIST 800-53, HITRUST CSF,ISO 27001/27002, ISACACOBIT, PCI, HIPAA, SOX,GLBA, STIG, NIST 800-144,SAS 70, …The recommendedfoundations for controls• Fundamental security principles inassessing the overall security risk of acloud providerCloudTrust Protocol Orientation | Ron Knode | CTP to CSA6 June 2011 Page 8

CloudTrust Protocol (CTP) Transparency as a Service (TaaS)Reclaiming Digital Trust Across Security, Privacy, and ComplianceNeedsSAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS,CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …Responding toall elements oftransparencyTaaSEnterpriseCSC TrustedCommunity CloudCloud TrustCTPResponseManager (CRM)TaaSDashboardCTPTaaSCTPPrivate Trusted CloudCTPCTPCloudTrustAgentDownstreamcomplianceprocessingResponding toall elements oftransparencyCloudTrust Protocol Orientation | Ron Knode | CTP to CSAUsing reclaimed visibility into the cloudto confirm security and create digitaltrustCTP• ••CTPSource: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp6 June 2011 Page 9

Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need themAuthorizedTaaS Users• What does my cloudcomputing configurationlook like right now?• Where are my data andprocessing being performed?• Who has access to mydata now?• Who has had accessto my data?• What audit events haveoccurred in my cloudconfiguration?. . . . . .• What vulnerabilities exist inmy cloud configuration?CloudTrust Protocol (CTP) Elements of Transparency1 23CTP• Private Cloud• Other Public Clouds• CSC Trusted CloudTransparencyas-a-Service(TaaS)CTPCTPCTPCTPCloudTrust Protocol Orientation | Ron Knode | CTP to CSA6 June 2011 Page 10

Elements of Transparency in the CTP•6 Types• Initiation• Policy Introduction• Provider assertions• Provider notifications• Evidence requests• Client extensions• Families• Configuration• Vulnerabilities• AnchoringAnchoring• Audit log• Service Management• Service StatisticsOnly 23 intotal inthe entireprotocol• Elements• Geographic• Platform• ProcessCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 11

CloudTrust Protocol V2.0• Syntax• Based on XML• Traditional RESTful web serviceover HTTPSource: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 13

CTPCTPElastic Characteristics of the CTPCloudConsumersCloudProvidersTransparency-as-a-ServiceLegend:• Provider dimension• DeploymentdimensionSource: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 14

Multiple Styles of ImplementationThe CTP is machine and human readable• In-bandCTPCTPRESTfulWebServiceCloudTrustProtocolServiceCTPCTPRESTfulWebServiceCloudProviderTrust Evidence(elements oftransparency)CTP• Out-of-bandCTPCTPRESTfulWebServiceCloudTrustProtocolServiceCTPRESTfulWebServiceCloudProviderTrust Evidence(elements oftransparency)Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 15

Scope of TaaSEnterprise or Client-specific• EnterpriseCTPCTPRESTfulWebServiceCloudTrustPrtocolServiceCTPCTPRESTfulWebServiceCloudProviderTrust Evidence(elements oftransparency)• Client-specificCTPCTPRESTfulWebServiceCloudTrustProtocolServiceCTPCTPClientdeployedapplicationCloudProviderClient TrustEvidence(partial elements oftransparency)Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctpCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 16

Undecided’s …• Evidence Request category “integrity and liability verification technique”• Attest to the content, provenance, and imputability of the response (with legalimport)• Transmission integrity not sufficient; Require legal liability of intent to provideresponse as delivered• E.g, Surety AbsoluteProof technique• Final namespace• Trust package correlation with all contributing (traditional) security services• Identity store for transparency service authorizationsCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 17

Undecided’s …• EoT extension technique• Characteristics of specification• Degree of automation• Business constructs and back office issues, e.g.,• SLA foundations• Concepts of operation• Service Terms & Conditions recommendations• Transparency operator training and operations monitoringCloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011Page 18

CloudTrust Protocol Information Overview (pdf) - Cloud Security ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?